33535 – calibre new security issues CVE-2023-46303, CVE-2024-678[12] and CVE-2024-700[89]

Bug 33535 - calibre new security issues CVE-2023-46303, CVE-2024-678[12] and CVE-2024-700[89]

Summary: calibre new security issues CVE-2023-46303, CVE-2024-678[12] and CVE-2024-700...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://lists.fedoraproject.org/archi...
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Duplicates (1):	33494 (view as bug list)
Depends on:
Blocks:

Reported:	2024-09-06 10:32 CEST by Nicolas Salguero
Modified:	2025-02-12 07:38 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	calibre-6.17.0-1.mga9.src.rpm
CVE:	CVE-2023-46303, CVE-2024-6781, CVE-2024-6782, CVE-2024-7008, CVE-2024-7009
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-09-06 10:32:31 CEST

Fedora has issued an advisory on August 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTG4W7NKCI3YSS24S3XTWQKFDUAR6BN3/

Debian has patches for CVE-2024-6782 and CVE-2024-700[89]:
https://sources.debian.org/data/main/c/calibre/6.13.0%2Brepack-2%2Bdeb12u4/debian/patches/0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch
https://sources.debian.org/data/main/c/calibre/6.13.0%2Brepack-2%2Bdeb12u4/debian/patches/0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
https://sources.debian.org/data/main/c/calibre/6.13.0%2Brepack-2%2Bdeb12u4/debian/patches/0032-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch

Upstream fix for CVE-2024-6781:
https://github.com/kovidgoyal/calibre/commit/bcd0ab12c41a887f8290a9b56e46c3a29038d9c4

Nicolas Salguero 2024-09-06 10:33:12 CEST

Source RPM: (none) => calibre-6.17.0-1.mga9.src.rpm
Status comment: (none) => Patches available from Debian and upstream
CVE: (none) => CVE-2024-6781, CVE-2024-6782, CVE-2024-7008, CVE-2024-7009

Comment 1 Marja Van Waes 2024-09-06 21:35:11 CEST

Assigning to our registered calibre maintainer.

URL: (none) => https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTG4W7NKCI3YSS24S3XTWQKFDUAR6BN3/
Assignee: bugsquad => smelror
CC: (none) => marja11

Comment 2 Nicolas Salguero 2025-02-11 07:42:50 CET

*** Bug 33494 has been marked as a duplicate of this bug. ***

CC: (none) => contact

Nicolas Salguero 2025-02-11 13:40:45 CET

Summary: calibre new security issues CVE-2024-678[12] and CVE-2024-700[89] => calibre new security issues CVE-2023-46303, CVE-2024-678[12] and CVE-2024-700[89]
CVE: CVE-2024-6781, CVE-2024-6782, CVE-2024-7008, CVE-2024-7009 => CVE-2023-46303, CVE-2024-6781, CVE-2024-6782, CVE-2024-7008, CVE-2024-7009

Comment 3 Nicolas Salguero 2025-02-11 14:23:15 CET

Suggested advisory:
========================

The updated package fixes security vulnerabilities:

link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root. (CVE-2023-46303)

Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read. (CVE-2024-6781)

Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution. (CVE-2024-6782)

Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting. (CVE-2024-7008)

Unsanitized user-input in Calibre <= 7.15.0 allow users with permissions to perform full-text searches to achieve SQL injection on the SQLite database. (CVE-2024-7009)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTG4W7NKCI3YSS24S3XTWQKFDUAR6BN3/
========================

Updated package in core/updates_testing:
========================
calibre-6.17.0-1.1.mga9

from SRPM:
calibre-6.17.0-1.1.mga9.src.rpm

Status comment: Patches available from Debian and upstream => (none)
Status: NEW => ASSIGNED

katnatek 2025-02-11 20:05:45 CET

Assignee: smelror => qa-bugs

katnatek 2025-02-11 20:07:40 CET

Keywords: (none) => advisory

Comment 4 katnatek 2025-02-11 20:20:45 CET

RH x86_64

installing calibre-6.17.0-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: calibre               ##################################################################################################
      1/1: removing calibre-6.17.0-1.mga9.x86_64
                                 ##################################################################################################

Configure 1st time run
Read the quick start guide look good for me

Comment 5 Thomas Andrews 2025-02-11 21:24:49 CET

I have some experience using Calibre to convert ebooks from one format to another, but not with Mageia 9. Should be interesting...

Installed calibre and 112 needed dependencies, then updated with no issues. Ran it, downloaded a "news" article, and I read some of it before becoming bored. Looked at my old ebook downloads, found one in pdf format, converted it to epub (the favored format of my Android tablet's ereader), and examined a few pages. Looked good.

I think this is good to go.

Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2025-02-12 07:38:26 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0049.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.